Europe’s highest court on Tuesday struck down a key legal principle that had enabled U.S. web giants to operate in the European Union and store and manipulate the personal data of people living there. The ruling could have far-reaching consequences for trans-Atlantic web businesses.
In his case brought against Facebook, Max Schrems, an Austrian law-student-turned-lawyer, challenged the social network’s practice of storing and processing personal data, which, he successfully argued, had violated European privacy law.
The Luxembourg-based court agreed, invalidating Safe Harbor, a fast-track legal method used by U.S. web businesses to comply with European privacy restrictions since the 1990s.
The legal principle had enabled all forms of web businesses, from giants such as Google, Facebook and Amazon, to small firms, to operate in Europe essentially without restriction.
Under Safe Harbor, companies promised that the private data of E.U. citizens would be handled in the United States under the same privacy rules that apply in Europe.
But Mr. Schrems, who currently studies at the University of Vienna, challenged this fundamental guarantee of Safe Harbor, illustrating in minute detail how Facebook had collected, stored and manipulated his own personal data in violation of Austrian and E.U. law.
Experts said the immediate fallout from the European court’s ruling would be minimal and websites such as Facebook and Google would continue to operate. But over the long-term, U.S. tech giants such as Facebook and Google may have to reassess and revise how they store and transfer E.U. data.
“The Court of Justice declares that the Commission’s U.S. Safe Harbor Decision is invalid,” the court said in its decision, leaving no room for doubt. Legal experts said lawmakers on both sides of the Atlantic would be pressured to draft a new legal regime to ensure the trans-Atlantic flow of data.
Some analysts said new legal frameworks that are eventually developed for web businesses may be more costly and less efficient than Safe Harbor. The court ruling will likely have repercussions for many of the E.U.’s 500 million residents, who like Americans tend to favor U.S. web businesses such as Google, Facebook and Amazon for their online needs.
In a statement given to Handelsblatt Global Edition, Facebook said that it “like many thousands of European companies, relies on a number of the methods prescribed by E.U. law to legally transfer data to the U.S. from Europe, aside from Safe Harbor.”
“It is imperative that E.U. and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security.”
Andreas Splittgerber, a Munich lawyer at Olswang who specializes in technology, told Handelsblatt Global Edition said the court’s verdict was unusually strong.
“The ruling has really smashed into the face of the U.S. and everyone who is exporting data to the U.S.,” he said.
“Safe Harbor is dead. This puts a lot of pressure on the (European) Commission, the Federal Trade Commission, and the U.S. government to agree on a new Safe Harbor.”
“This decision is a major blow for U.S. global surveillance that heavily relies on private partners. The judgement makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights.”
The court ruled that the principles behind Safe Harbor were invalid and each E.U. country must now decide individually how its citizens’ data is processed.
Tuesday’s ruling brings to a close a case that began in 2011, when Mr. Schrems, now 27, complained to the Irish Data Protection Commission that Facebook was unlawfully keeping records of his activity on the social networking site in violation of European privacy law.
Companies such as Microsoft, Google and Facebook base their European operations in Ireland for tax reasons, and in part because the enforcement of E.U. and Irish privacy laws are less strict than in other countries in Europe.
In response to Mr. Schrems’ complaint, Ireland’s data protection commissioner, Billy Hawkes at the time, did not see a need to intervene, arguing that Facebook’s activities were covered by Safe Harbor.
Mr. Schrems appealed Mr. Hawkes’ ruling. The case moved through the Irish courts eventually to the European Court of Justice.
The high court officially ruled on a specific question: Do national data protection authorities have to accept Safe Harbor, or can they put the principle on hold if they do not believe it protects their citizens?
In its ruling, the European court made clear that national data authorities can examine whether an individual’s privacy is being compromised. The high court ruled that “the Commission did not have competence to restrict the national supervisory authorities powers in that way.”
Following the ruling, Mr. Schrems said: “This decision is a major blow for U.S. global surveillance that heavily relies on private partners. The judgement makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights.”
As a result of the ruling, Ireland’s data protection regulator must now decide whether Facebook can still be allowed to transfer data from the 29-nation E.U. bloc to web businesses based in the United States under Safe Harbor.
The European Commission planned a news conference at 3 p.m. local time in Brussels with Frans Timmermans, the European Commission vice president in charge of regulation, and Vera Jourova, the commissioner for justice.
The Commission has been working on new Safe Harbor legislation to take into account the criticisms highlighted by the court.
The ruling had been widely expected after European advocate general, Yves Bot, who is advising the court on the case, said last month that Safe Harbor did not protect E.U. citizens’ privacy.
Mr. Bot referred to former U.S. National Security Agency contractor Edward Snowden’s revelations about spying practices when arguing against data transfers from the European Union to the United States.
“It follows from these factors that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the (European) Union which is transferred under the Safe Harbor scheme, without those citizens benefiting from effective judicial protection,” Mr. Bot argued at the time.
The court appeared to agree with Mr. Bot, and in its ruling said Safe Harbor does not allow “for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data.”
The ruling was a victory for German data protection commissioners, who have long been questioning the privacy guarantees contained in the Safe Harbor principles.
In 2010, the association of German data protection regulators ruled that companies that transfer personal data to the United States may no longer rely on a statement by a U.S.-based processor of European data that it is Safe Harbor-certified, but must carry out their own checks.
Alexander Dix, the data commissioner for the city-state of Berlin, told Handelsblatt Global Edition in March that he and his colleagues were unhappy with the efficacy of Safe Harbor and were willing to use their national regulatory powers to force companies to change.
Some 50 percent of all data that flows to the United States goes via Safe Harbor. There are some other legal “bridges” that allow data flow.
Standard Contractual Clauses is similar to Safe Harbor, and can be set up between the European Union and countries outside the E.U. bloc. Several U.S. companies have set up such clauses, in anticipation of today’s ruling, but Mr. Splittgerber said the measures are based on similar principles to Safe Harbor, which can also be legally challenged.
Multinational companies often rely on a more complex system of data transfer called Binding Corporate Rules, which they use to send data within parts of their organization in different countries.
Companies such as BMW, Deutsche Telekom and Siemens already use these complicated agreements to protect their own data transfers. The system is legally sound, but expensive, and administratively complicated to set up.
Meera Selva is an editor with Handelsblatt Global Edition and has covered security issues and terrorism in Britain, Africa and Berlin. To contact the author: email@example.com